blog/ posts/ OSPF authentication between IOS-XE and NX-OS
AFS commands | posts | Expect shortcuts

As I have been working on some a routed link between IOS-XE and NX-OS component, I have discovered a behaviour I have not been aware of. Imagine a routed point to point link between a NX-OS and IOS-XE router

Here is the configurations referred to:

IOS/IOS-XE:

key chain p2plink
 key 1
 key-string cisco
!
router ospf 1
 area 0 authentication message-digest
!
interface fa1/1
 ip ospf authentication key-chain p2plink

NX-OS:

key chain p2plink
 key 1
 key-string cisco
!
router ospf 1
 area 0.0.0.0 authentication message-digest
!
int e1/1
 ip ospf authentication key-chain p2plink

This configuration will not result in a successful neighborship. The OSPF neighbours will not form a connection. IOS-XE supports additional cryptographic algorithm. Both operating systems support clear text and MD5 authentication RFC 2328, appendix D But IOS-XE supports additionally the SHA (Secure Hash Algorithm) encryption/authentication which has been described in RFC 5709.

The error message that arrives if you do not specify the encryption algorightm is:

%OSPF-5-NOCRYPTOALG: Key ID 1 in key chain p2plink does not have a cryptographic algorithm
%OSPF-4-NOVALIDKEY: No valid authentication key is available on interface FastEthernet1/1

Out without defining a specific cryptographic algorithm IOS-XE/IOS will not assume a value for it.

key chain p2plink
 key 1
  key-string cisco
   cryptographic-algorithm md5

Defining MD5 as cryptographic algorithm is the only choice if the point to point link is between NX-OS and IOS-XE/IOS.

Verification of the interface configuration:

NX-OS:

NX-OS# sh ip ospf interface e1/1
 Ethernet1/1 is up, line protocol is up
    IP address 192.0.2.1/30, Process ID 1 VRF default, area 0.0.0.0
    Enabled by interface configuration
    State P2P, Network type P2P, cost 100
    Index 21, Transmit delay 1 sec
    1 Neighbors, flooding to 1, adjacent with 1
    Timer intervals: Hello 10, Dead 40, Wait 40, Retransmit 5
      Hello timer due in 00:00:00
    Message-digest authentication, using keychain p2plink (ready)
    Number of opaque link LSAs: 0, checksum sum 0

IOS-XE/IOS:

IOS-XE#sh ip ospf interface fa1/1
FastEthernet1/1 is up, line protocol is up (connected) 
  Internet Address 192.0.2.2/30, Area 0, Attached via Interface Enable
  Process ID 1, Router ID 192.0.2.2, Network Type POINT_TO_POINT, Cost: 100
  Topology-MTID    Cost    Disabled    Shutdown      Topology Name
        0           100       no          no            Base
  Enabled by interface config, including secondary ip addresses
  Transmit Delay is 1 sec, State POINT_TO_POINT
  Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
    oob-resync timeout 40
    Hello due in 00:00:05
  Supports Link-local Signaling (LLS)
  Cisco NSF helper support enabled
  IETF NSF helper support enabled
  Index 2/2, flood queue length 0
  Next 0x0(0)/0x0(0)
  Last flood scan length is 1, maximum is 51
  Last flood scan time is 0 msec, maximum is 4 msec
  Neighbor Count is 1, Adjacent neighbor count is 1 
    Adjacent with neighbor 192.0.2.1
  Suppress hello for 0 neighbor(s)
  Cryptographic authentication enabled
    Sending SA: Key 1, Algorithm MD5 - key chain p2plink

NX-OS has no support for SHA algorithms at the day of writing this entry, MD5 is the only option at the momemnt. Following options are available for IOS/IOS-XE:

IOS-XE(config-keychain-key)#cryptographic-algorithm ?
  hmac-sha-1    HMAC-SHA-1 authentication algorithm
  hmac-sha-256  HMAC-SHA-256 authentication algorithm
  hmac-sha-384  HMAC-SHA-384 authentication algorithm
  hmac-sha-512  HMAC-SHA-512 authentication algorithm
  md5           MD5 authentication algorithm